完成
TLS EntryPoint
參考資訊:
https://gclxry.com/article/tls-callback/
https://stackoverflow.com/questions/14538159/about-tls-callback-in-windows
TLS(Thread Local Storage)的Callback是一個比較特別的EntryPoint,此EntryPoint執行的時間,會比main()來得更早,也就是當使者執行PE檔案時,TLS EntryPoint會先被跑起來,接著才是main(),因此,是很多早期病毒使用的技巧之一,司徒今天使用一個簡單範例,說明如何製作這樣的執行檔案
main.cpp
#include "stdafx.h"
#include <windows.h>
#pragma comment(linker, "/INCLUDE:__tls_used")
void NTAPI tls(PVOID module, DWORD reason, PVOID reserved)
{
switch(reason){
case DLL_PROCESS_ATTACH:
MessageBox(NULL, "Run from TLS (DLL_PROCESS_ATTACH)", "Info", MB_OK);
break;
case DLL_THREAD_ATTACH:
MessageBox(NULL, "Run from TLS (DLL_THREAD_ATTACH)", "Info", MB_OK);
break;
case DLL_THREAD_DETACH:
MessageBox(NULL, "Run from TLS (DLL_THREAD_DETACH)", "Info", MB_OK);
break;
case DLL_PROCESS_DETACH:
MessageBox(NULL, "Run from TLS (DLL_PROCESS_DETACH)", "Info", MB_OK);
break;
}
}
#pragma data_seg(".CRT$XLB")
PIMAGE_TLS_CALLBACK p_thread_callback_base = tls;
#pragma data_seg()
int main(int argc, char** argv)
{
MessageBox(NULL, "Run from Main", "Info", MB_OK);
return 0;
}
P.S. 使用VisualStudio編譯
完成
TLS EntryPoint